Worse, the appeals court affirmed the convictions despite a significant Section 230 defense. The opinion contorted Section 230 law, relying on outmoded legal theories from Roommates.com. Fortunately, I haven't seen many citations to the appellate court's misinterpretation of Section 230, so the doctrinal damage to Section 230 hasn't spread too much (yet). However, that still leaves open whether Bollaert's conviction was correct.

Bollaert raised that issue by filing a habeus corpus petition in federal court. Such petitions are commonly filed and almost never granted, so Bollaert's petition had minimal odds of success as a matter of math. Not surprisingly, his petition fails.

The district court says that Section 230's application to Bollaert's circumstance does not meet the rigorous standard of "clearly established federal law":

In this case, the Supreme Court has never recognized that the CDA applies in state criminal actions. The Supreme Court has never indicated circumstances that would qualify a state criminal defendant for CDA immunity. Absence of applicable Supreme Court precedent defeats the contention that Petitioner is entitled to CDA immunity under clearly established federal law...

federal circuits have not applied CDA immunity in state criminal actions or indicated circumstances that would qualify a state criminal defendant for CDA immunity. Petitioner cannot satisfy § 2254(d)(1) with district court opinions applying CDA immunity in state criminal actions.

I've routinely blogged about the application of Section 230 to state criminal prosecutions, and I even wrote a lengthy discourse on why that was a good thing. Still, I can't think of any federal appellate courts that have reached this conclusion, so perhaps the court's factual claim about the jurisprudential absence is correct.

The court adds that even if Section 230 qualified as "clearly established federal law," the appellate court ruling didn't necessarily contravene that law:

the California Court of Appeal performed an exhaustive and comprehensive analysis of the applicable circuit court decisions before concluding Petitioner is an information content provider under Roommates. The state court reasonably interpreted Roommates and Jones, and reasonably concluded that Petitioner "developed, at least in part, the offensive content on his Web site by requiring users to input private and personal information as a condition of posting the victims' pictures, making him an information content provider within the meaning of the CDA."

This passage reinforces the deficiencies of the appellate court's Section 230 discussion. "[R]equiring users to input private and personal information as a condition of posting the victims' pictures" is not the encouragement of illegal content, as referenced by Roommates.com, as that information isn't actually illegal; and the Jones case rejected an "encouragement" exclusion to Section 230 while ruling for the defense. Do those deficiencies support the extraordinary relief of habeus corpus? Apparently not.

from the yikes dept

Eugene Volokh has a somewhat terrifying look at how very broad interpretations of California's identity fraud law, California Penal Code § 530.5(a) has been so broadly interpreted by the courts that it, in effect, creates a crime out of things that were normally considered, at best, civil offenses. This includes defamation, publicity rights infringements and disclosure of private facts. He discusses a few cases, but focuses on a key one that we've mentioned: the state of California's recent legal win over Kevin Bollaert, a revenge porn creep. In our writeup, we were mainly concerned with how the ruling seemed to run against Section 230's protections, but as Volokh makes clear, it's much, much worse than that.

As Volokh notes, among the charges that Bollaert was found guilty over, there was the § 502.5(a) claim of identity theft. And, he points out, nothing in the ruling limited it to revenge porn or extortion. It was just "identifying information" for the purpose of committing a tort, which suddenly becomes a criminal offense:

But nothing in Bollaert’s § 530.5 discussion was limited to revenge porn, or to extortion.

Say, for instance, that Kendra Schmollaert, Kevin Bollaert’s second cousin, has a blog with a couple of thousand readers. She publishes a blog post that mentioned an acquaintance’s formerly private sex scandal (or medical problem) and gives the acquaintance’s name. That may well constitute the tort of disclosure of private facts, and maybe Schmollaert should be liable for that. (I think the tort is too broad and vague to be constitutional, but most courts disagree with me on that.) But, to her surprise — and, I suspect, to the surprise of most media lawyers — a prosecutor decides to charge Schmollaert criminally. Guilty!

Schmollaert willfully published the aquaintance’s “identifying information” — the full name, and possibly some indication of location (e.g., if Schmollaert says the acquaintance is Schmollaert’s neighbor).

Schmollaert did so with the purpose of committing a tort, namely the disclosure of private facts. (True, Schmollaert wasn’t doing this just for the sake of committing a tort, but neither was Bollaert — Schmollaert wanted to tell an interesting story, or maybe expose an acquaintance whom Schmollaert disliked, while Bollaert wanted to make money, and both purposefully used people’s identifying information as a means of accomplishing that goal.)

Schmollaert didn’t reveal any nude photographs — but nothing in § 530.5(a) says anything whatever about nudity, or about photographs; as the courts have interpreted the statute, tortious disclosure of private facts is enough.

Schmollaert also wasn’t impersonating anyone — but neither was Bollaert.

Or say that Schmollaert instead starts selling T-shirts that depict photographs of celebrities, with captions that give the celebrities’ names. Under California law, that’s a tort, both statutory and common-law, and might lead to liability. But again Schmollaert also turns out to be guilty of a crime:

She willfully published the celebrities’ “personal identifying information” (“full names, … as well as the … photographs themselves.”

She did so with the purpose of infringing the celebrities’ right of publicity.

That's... crazy. Criminalizing defamation and publicity rights infringement by broadly interpreting an identity fraud law seems very, very problematic. As Volokh notes again, it seems extra troubling that this seems to have happened without any real legislative discussion or deliberation. Again, these things may be civil offenses, but to turn them into criminal offenses is a situation that can and will be abused. Not many people will cry for Kevin Bollaert, but the precedent this sets is potentially terrifying:

I don’t think the California Legislature was trying, with § 530.5, to so broadly criminalize tortious speech. But that’s how California courts have interpreted the statute.

And this also helps show why many commentators — myself included — criticize proposed statutes based on the possible scope of their broad and vague language, rather than just focusing on the particular problem that led to the proposal. Once a statute is enacted, prosecutors will often push them to the limits of the language, especially when the defendants are bad people doing bad things (e.g., Bollaert’s revenge porn blackmail racket). And courts will often (not always, but often) read the language broadly. The story of § 530.5 is a classic example.

It remains to be seen how widely this gets abused, but it is certainly a big concern.

from the what's-up,-california? dept

We've noted in the last month or so a series of court rulings in California all seem to be chipping away at Section 230. And now we've got another one. As we noted last month, revenge porn extortion creep Kevin Bollaert had appealed his 18-year sentence and that appeal raised some key issues about Section 230. As we noted, it seemed clear that the State of California was misrepresenting a bunch of things in dangerous ways.

Unfortunately, the appeals court has now sided with the state, and that means we've got more chipping away at Section 230. No one disagrees that Bollaert was a creep. He was getting naked pictures of people posted to his site, along with the person's info, and then had set up a separate site (which pretended to be independent) where people could pay to take those pages down. But there are questions about whether or not Bollaert could be held liable for actions of his users in posting content. Section 230 of the Communications Decency Act (CDA 230) is pretty damn clear that he should not be held liable -- but the court has twisted itself in a knot to find otherwise, basically arguing that Bollaert is, in part, responsible for the creation of the content. This is going to set a bad precedent for internet platforms in California and elsewhere.

The court, not surprisingly, relies heavily on the infamous Roommates.com ruling that also said that site didn't qualify for Section 230 immunity, because it asked "illegal" questions (about housing preferences), and since the site itself had asked those questions, it was liable for creating that "illegal" content. That's different than what happened with Bollaert's UGotPosted site, but the court works hard to insist the two are close enough:

Here, the evidence shows that like the Web site in Roommates, Bollaert created UGotPosted.com so that it forced users to answer a series of questions with the damaging content in order to create an account and post photographs. That content—full names, locations, and Facebook links, as well as the nude photographs themselves—exposed the victims' personal identifying information and violated their privacy rights. As in Roommates, but unlike Carafano or Zeran, Bollaert's Web site was "designed to solicit" (Roommates, supra, 521 F.3d at p. 1170, italics added) content that was unlawful, demonstrating that Bollaert's actions were not neutral, but rather materially contributed to the illegality of the content and the privacy invasions suffered by the victims. In that way, he developed in part the content, taking him outside the scope of CDA immunity.

I can predict that this paragraph is likely to show up in a bunch of other cases. People are going to insist that lots of other platforms that include any form of structure will now be liable if any of the content based on that structure violates the law. That, again, goes directly against the clearly stated purpose of CDA 230. And it's likely to create something of a mess for internet platforms that regularly rely on 230.

The really crazy thing here is that earlier in the ruling, the court noted that it didn't even need to answer the Section 230 question because they already had enough info to support charges of action "with the intent to defraud." But then it answered the CDA 230 issue anyway, and did so badly. No one's going to feel sorry for Bollaert, who is a complete creep. But the wider precedent of this ruling is going to be dangerous and will likely show up in lots and lots of lawsuits against internet platforms going forward.

from the but-he's-still-a-creep dept

Let's start with the basics: Kevin Bollaert is a creep who did some really horrible and shady stuff. He was something of a latecomer to the revenge porn space, basically copying a few of the more popular revenge porn sites that came before him in creating "YouGotPosted." He also copied at least some of the "business model" of Craig Brittain's "IsAnybodyDown" website, which purported to work with a third party (the fictitious "lawyer" "David Blade III") who you could pay to take down those naked pictures someone leaked to the site. In the case of YouGotPosted, Bollaert set up a companion website, called ChangeMyReputation, where you could pay and that site would magically get images taken down off YouGotPosted (there is some dispute over how clear it was that the two sites were connected). There's a decent argument that this is a form of extortion, posting naked photos of someone and then demanding cash to get them taken down -- but there are also cases in slightly different realms (such as online review sites) that suggest such activity is actually protected by Section 230. Bollaert, about as unsympathetic a defendant as you can possibly imagine was convicted of a variety of things, including not just extortion, but also identity theft, which raises some serious questions, given that Bollaert was only posting info given to him by others.

So when Bollaert got an 18-year sentence over all of this, many felt the sentence to be fairly extreme -- even among those who felt that Bollaert is a creep who deserves jail time for what he did. As we expected, Bollaert has appealed and is raising some key defenses, mostly based around Section 230 of the CDA. In short, what he did may have been awful, but you still can't blame the site operator for content uploaded by users. That's the whole crux of CDA 230. If the uploader broke the law in posting content, go after them, not the platform on which the content was uploaded.

In this case, the People seek to chip away at the clear protections provided by the Communications Decency Act. The People claim the statute’s protection did not apply to Yougotposted because Yougotposted administered the website and possessed the authority to pick and choose which information was posted. Here the People’s reliance on speculation and conjecture fails to strip appellant of the statute’s immunity. If the People’s arguments are accepted, the approach would provide an avenue for other litigants to end-run the bright-line protections provided by the statute, jeopardizing service providers and undermining speech in the process. This amounts to bad policy.

Bollaert's lawyers argue, fairly reasonably, that YouGotPosted qualifies for the CDA 230's safe harbors as a service provider. The state argues that he's the content provider, who can be liable, rather than just a platform. Bollaert's lawyer cites all the standard Section 230 cases that establish the fairly broad immunity provided to internet platforms.

Bollaert also argues that what was on YouGotPosted wasn't identity theft at all because any "unlawful purpose" associated with collection of identifying information was done by third parties, rather than Bollaert, and thus, once again, he's protected by Section 230.

In its reply brief, the State of California hits back at all of this with what seems like an incredibly weak argument. Basically it argues that because Bollaert required submitters to post personal information, that makes him a content provider, rather than a platform:

By requiring users to post personal identifying
information, appellant became an “information content provider” because
he was responsible as a developer and provider of the content he required;
thus, he was no longer a mere “interactive service provider” or “access
software provider”. In any event, because he intended to defraud victims by
concealing his true identity as the operator of both websites, the exception
appellant relies on would not apply.

Not surprisingly, California relies heavily on the infamous Rommates.com ruling, a rare case where a service provider lost its safe harbors by having a drop down menu that was seen as asking a discriminatory question about roommate preferences, violating fair housing laws. California is arguing that, by requiring uploaders to post user information, YouGotPosted is similar to Roommates.

Here, similar to the situation in Roommate, appellant willfully
obtained individuals’ personal identifying information by soliciting it from
submitters, who were required to include the victims’ full name, location
(“city, state, country”), age, and a link to the victims’ Facebook profile
page in order to submit photographs. As in Roommate, appellant became
responsible for the illegal content of the postings because the illegal content
(i.e., the non-consensual use of someone’s personal identifying information,
including their private photos) was a condition of use. Appellant then used
that information to harass and annoy victims because he knew—with
absolute certainty—that by posting the information, the victims would be
contacted by numerous strangers whom the victims would find threatening.
Appellant also used the information for the unlawful purpose of unlawfully
obtaining money from them by demanding payment in exchange for
removing his posts. This conduct does not magically become lawful
because appellant did it online, or because he recruited third parties to help
him inflict harm on a mass scale.

Except California is playing a little loose with the facts here and mixing and matching things to make its argument look stronger. The key difference was that the roommate preference question was, by itself, discriminatory and against the law. YouGotPosted asking people for identifying information is not. Again, this is not in any way to defend Bollaert or his site. But Section 230 matters quite a lot, and government attempts to limit those protections will have a serious impact on internet platforms and their willingness to allow freedom of expression.

California's lawyers spend a lot of words trying to argue that requesting identifying information with photos magically makes the whole thing illegal -- including claiming that because Bollaert knew that his users would then likely harass the people shown in those photos -- that it makes him liable as the content creator. But that still seems to be a fairly blatant misreading of the law as written and the case law itself.

California also insists that it is identity theft, because of the "fraud" of pushing people to another site to pay to have the photos removed:

Here, the evidence amply demonstrated appellant’s intent to defraud.
When victims asked to have the offending photos removed, they were
either referred to the website “ChangeMyReputation.com,” or they
followed the link to that site.... This extra step was wholly unnecessary. Appellant could have removed the photos by demanding the
money directly from the victims as part of the UGotPosted website. But
appellant presumably realized that the victims would be less inclined to pay
money to the very person responsible for posting their pictures. By creating
a separate website, appellant hoped to deceive the victims into believing
that they were receiving the legitimate services of a neutral third party who
would restore their reputation, and that they were not simply paying
blackmail to an extortionist who was the source of their misery.

Responding to California's attempt to get around Section 230, Bollaert's lawyers basically just repeat "it's a platform and the government hasn't shown any reason it's not."

Here, the People claimed the statute’s protection did not apply to appellant because he administered the “Yougotposted” website and retained the authority to pick and choose which information was posted. This does not make him a content provider. Those actions of appellant are no different than those found by the courts to be protected under the statute.... The People’s argument must fail because accepting their arguments would eviscerate protections provided by the statute, jeopardizing service providers and undermining free speech in the process.

Bollaert also says the whole claim that having two sites suddenly makes it fraud makes no sense at all:

Here, the People produced no evidence in support of their belated claim that appellant possessed personal identification information with the intent to commit fraud. CALCRIM 2401 describes fraud as having deceived another person in order to cause a loss of money or something of value or damage to a legal, financial or property right. The People belatedly raised the claim that payments made through “changemyreputation.com” were obtained by fraud because the victims were not aware that appellant managed both websites. Problems arise with the argument. First, the link to “changemyreputation.com” was visible on “Yougotposted.com.” There was no evidence suggesting appellant was trying to hide the fact that the sites were connected. A number of the victims stated it was “obvious” that the same person was behind both sites. (4RT pp. 305-306.) Additionally, the People’s argument must fail because the victims clearly believe the payment
was to have the photos removed, not because they were “deceived”.

Separate from all of this, both sides also are arguing about the extortion question, noting that a business model that offers to remove content is just a "standard business practice," and not extortion. Part of this argument is, again, buttressed by CDA 230, because the uploaded content was not uploaded by Bollaert himself, so (his lawyers argue) you can't claim that he both uploaded the content and then pushed people to pay him to take it down. It's that "other people uploaded it and thus, 230" claim that Bollaert argues makes this not extortion:

The People argued that appellant used the posting of the photographs on the website to illegally obtain money from those whose photos were posted and to have the photos removed from the “Yougotposted” website. The People argued that appellant threatened to injure the victims or “expose their secrets” by publishing the images on the website. As the CDA provides, interactive computer service providers and access software providers are under no legal obligation to remove postings submitted to their website by third parties, even those postings that are negative in nature. Appellant was simply under no obligation to remove the negative content from his website. He merely offered a service to remove the photos and, by offering such a service, he is engaging in standard business practice and not extortion.

They also argue -- and I will admit that this is a morally horrifying argument, if potentially legally sound -- that by simply posting the images first, without contacting individuals and asking for money to stop the posting, it's completely different than posting first and then offering a way to pay to take the content down.

In this case the People proceeded on the theory that the third-party postings constituted exposure of a secret affecting the persons portrayed in the photos. The initial reaction is that appellant’s operation of the website and posting information provided solely by third parties simply does not constitute a threat to expose any secret as to the other persons because the alleged secret (photos) was already in the public domain and had been provided by third parties unaccompanied by any demand for payment. In this case there is absolutely no evidence any request was made through either “Yougotposted” or “changemyreputation.com” before the photos had been submitted by the third parties. In this case appellant merely provided a means whereby, for a fee, information already legally posted could be removed.

Bollaert's lawyers also point to the recent lawsuit against Yelp, where some businesses claimed that Yelp would ask them to pay for advertising with a promise of more favorable reviews (and with some arguing that a failure to pay resulted in negative reviews). In that case (Levitt v. Yelp), the court found that even if that was what Yelp was doing (which Yelp denies), it's not extortion:

The court found the plaintiffs had no pre-existing right to a positive review and that Yelp! was in no way obligated to refrain from manipulating reviews or creating negative ones. Yelp! was simply offering a service when it offered to remove negative reviews from its web page and that the offering of that service in exchange for money amounted to a legitimate business practice.

And, of course, Bollaert argues that his situation was similar to Yelp's:

In the present case, appellant, as an interactive computer service provider was under no legal obligation to remove the postings submitted to the website by third parties, even when those postings are negative in nature. As in the above cited cases, Yelp!, Yahoo!, AOL and the dating website in the Carofano case, as well as “TheDirty.com” case, appellant could legally decline to remove any offending content from his website. Offering a fast, efficient removal service through the site “changemyreputation.com” amounted to a legal practice, akin to the practices approved in Yelp!. No crime of extortion occurred. Yelp! offered to remove negative content for money. They were under no obligation to remove those negative reviews and they offered the additional service in exchange for a fee. This is a business practice, not extortion.

The lawyers for the state of California, as you might imagine, don't like this argument very much.

This case, however, is not about incidental harms caused by a
free market economy run amok. Appellant is a criminal who intentionally
harmed thousands of people, not a legitimate businessman. While many
people knew the victims’ secrets (only because appellant had exposed them
on his website), many others had not yet seen the photos and it was that
threat of continued exposure that appellant used to extort money from the
victims. Further, because the website contained the victims’ PII, and
because appellant’s website required posters to provide that PII, appellant
was obligated to remove the content and he was not simply providing a
service that he otherwise had a legal right to perform.

Basically they try to distinguish Bollaert's site from Yelp in a variety of ways. They also note that somewhat different laws apply (federal vs. state) and that posting personal naked photos along with identifying information is very, very, very different from posting negative reviews of a business. Frankly, this argument was the one that I expected to be most convincing, but which California's lawyers breeze through without much detail.

Obviously, it will be interesting to see where the California state appeals court comes down on all of this. I do think that the identity theft claims are incredibly weak, and that the extortion claims look a lot weaker than I first expected. I really expected stronger arguments from California. And, it's pretty clear that Bollaert's site was something pretty horrible all around. But does that automatically make it illegal? As with many cases targeting the safe harbors of Section 230, there are important issues being raised about what constitutes an internet platform vs. who is responsible for actual content or behavior.

Remember, with the nearly identical site that Bollaert basically copied, the operator there, Craig Brittain, merely got a slap on the wrist from the FTC for misleading people. It also dragged his name through the mud. Bollaert, at the very least, deserves that level of treatment. But does running a creepy website that enabled harassment create criminal liability that deserves 18 years in jail? That feels like a dangerous stretch of the law to punish a creep for being a creep. And when we start doing that, we create dangerous precedents for other platforms in situations that maybe aren't so creepy.

from the none-of-this-makes-sense dept

Earlier this week, Hunter Moore -- the guy who basically invented the concept of revenge porn with his "Is Anyone Up" site -- was sentenced to two-and-a-half years in jail along with a $2,000 fine... and he has to pay $145.70 in "restitution" to a single victim. Moore was arrested for violating the CFAA, and as we noted at the time, it may be one of the few legitimate uses of the CFAA. He didn't just run a revenge porn site, he hired a guy, Charlie Evens, who got a similar sentence a week ago, to hack into the computers of unsuspecting women, and swipe naked photos of them to put on his site. The sickening bit: that "$145.70" in "restitution"? That's how much Moore paid Evens (also, Evens is jointly liable for that money, meaning that Moore might not even pay it). It's difficult to understand why the $145.70 makes any sense at all as the "harm" caused to the anonymous woman "L.B." whose computer got hacked into.

As Sarah Jeong at Vice's Motherboard notes, the reason that Moore's sentence seems so light is because of the nature of the plea bargain he agreed to with the government:

The tiny amount of restitution has partly to do with Moore’s plea bargain. He pleaded guilty to counts 2 and 9 of the indictment (which had a total of fifteen counts)—one count under the Computer Fraud & Abuse Act, and one count of aggravated identity theft. Counts 2 and 9 relate only to one victim, L.B.

So because he's only guilty on those two counts, there's just that single victim. Even so, the tiny restitution seems a bit bizarre. It's also hard to square this CFAA "punishment" with a case like Matthew Keys', who was recently found guilty of sharing a password that resulted in a brief (40 minute) defacement of the LA Times website. Yet, in that case, it was argued that he caused almost a million dollars in damages, and will be sentenced next month (with the prosecution supposedly asking for something less than five years).

Meanwhile, it's still bizarre to compare the result of this case, with other similar cases. Kevin Bollaert, who created the similar revenge porn site "YouGotPosted" was originally sentenced to 18 years in jail, along with paying $15,000 in restitution -- though his sentence was later reduced to eight years in prison and another 10 years of mandatory supervision. That length of time seemed a bit extreme.

And then there's Craig Brittain, whose IsAnybodyDown website copied Hunter Moore's with a unique addition: creating a totally fake lawyer who you could pay to get your photos and information taken off the site (Bollaert copied this model from Brittain). Brittain just got off with a wrist slap, and has been busy trying to hide this fact with abusive DMCA notices, while at the same time hilariously trying to start an Uber competitor with his buddy and revenge porn collaborator, Chance Trahan, last seen pretending to be Daymond John. Trahan never got into any legal trouble for his role in the revenge porn business and, if you want to be amused, you should read his... er.... "interview" with Rolling Stone about it.

And then there's Casey Meyering, who ran WinByState (don't ask), which was another revenge porn site, that also copied Brittain's extortionate "pay us to take down your info" model, and was recently sentenced to three years in jail. It's good to see these guys getting punished, though the randomness in the punishment and sentencing seems problematic. Moore's sentencing, in particular, seems bizarre, considering that it involved the CFAA, at a time when the CFAA is widely abused to create HUGE punishments for things that many people don't think are all that bad. Moore, on the other hand, appeared to clearly violate both the spirit and letter of the CFAA for clearly bad purposes -- and gets off with something of a wrist slap in comparison.

from the random-sentencing dept

Sentencing revenge porn extortionists seems to be all over the place. Craig Brittain, who basically originated the extortionate process of not just running a revenge porn website, but combining it with a (pretending to be) separate "pay us and we'll get your naked photos taken down" service, had his wrists duly slapped by the FTC earlier this year. Shortly after that, Kevin Bollaert, who more or less copied Brittain's plan, got sentenced to 18 years in jail (which he's currently in the process of appealing). Hunter Moore, who is often credited with being the first one to set up a big revenge porn site (without the corresponding extortionate takedowns, but apparently with hiring people to hack into computers to get copies of naked photos to post), took a plea deal with somewhere between two and seven years in jail.

And, now, Casey Meyering, who also copied Brittain's plan -- almost exactly -- and who also took a plea deal a few weeks ago, has been sentenced to three years in jail (which he can't appeal, due to the plea deal). Adam Steinbaugh, who spends his spare time hunting down revenge porn operators, provides a bit of background:

from the could-Section-230-free-him? dept

As was noted here in early February, a California court found revenge porn site owner Kevin Bollaert guilty of six counts of extortion, along with 21 counts of identity fraud. Bollaert not only ran revenge porn site YouGotPosted but also operated ChangeMyReputation, from which he would remove photos posted to his revenge porn site for a fee.

Bollaert had $20,000 in cash on him when arrested, apparently from his ChangeMyReputation sideline.

Bollaert apparently believed Obama would pass restrictive gun laws that would make certain firearms extra valuable, and began stockpiling weapons. But buying 31 guns using only a P.O. Box for an address has a way of attracting ATF agents…and a conviction for making false statements in connection with the purchase of a firearm.

During sentencing, Bollaert's attorneys mentioned the FTC's wristslap of Craig Brittain as an argument that Bollaert deserved a similarly light punishment.

The judge quoted an interview with Bollaert where he blew off Marc Randazza's lawsuits.

Kevin Bollaert was sentenced by a San Diego court to 18 years in prison following his February conviction on twenty-seven counts of extortion and identity theft.

This was much harsher than most people expected, even considering the heinousness of Bollaert's actions. Some expected a lighter sentence coupled with an extended probation period, and Steinbaugh's tweets mention a previous plea deal that was rescinded or rejected. None of that matters now. As Steinbaugh points out, if Bollaert serves every year of his term, he'll be in jail longer than some of his site's victims were alive when their pictures were posted.

The sentence will most likely be appealed. Steinbaugh advances the theory that Section 230 protections could be used to undo the extortion and identity theft charges. (Although he is careful to preface his legal speculations with this warning: "It’s rather boring — and I’m probably wrong, but someone has to raise these issues, even in defense of a revenge porn site extortionist. Only Nixon could go to China, I suppose.")

If Bollaert does appeal, he has a good chance at success with respect to the identity theft charges (assuming Bollaert himself didn’t seek out the victims’ personal information). Simply publishing content submitted by users — even if the avowed purpose of the site was to promote invasion of privacy and tortuous conduct — is immunized by §230.

Whether or not the Section 230 argument will work against criminal extortion charges remains to be seen, but previous civil cases seem to present a few possibilities.

The courts which have addressed extortionate behavior in the civil context have indicated that §230 likely immunizes that conduct. §230 applies to website operators even when they exercise traditional editorial functions.

In Ascentive, LLC v. Opinion Corp., a federal district court in New York addressed consumer gripe site PissedConsumer.com’s “Corporate Advocacy Program”, a “premium reputation management service” under which PissedConsumer would remove negative reviews (if the consumer refused to allow PissedConsumer to act as an intermediary in resolving their complaint) and resolve new complaints before they are posted. The plaintiffs brought RICO claims against PissedConsumer, including predicate acts of “commercial bribery or extortion.” The district court, in denying the plaintiffs’ motion for a preliminary injunction, ruled that the plaintiffs had not demonstrated a likelihood of success on the extortion allegations.

As ugly as it seems, the protections afforded operators of sites hosting user-generated content could keep Bollaert from being incarcerated -- or at least take a huge chunk out of his 18-year sentence. But that's the dual edge of these sorts of protections. Much like the First Amendment protects ignorant, hate-filled racists and the Fourth Amendment protects child porn enthusiasts, Section 230 can protect revenge porn site owners from the content submitted to their sites.

Bollaert's sideline removal service complicates things, but despite profiting from both ends of the equation, the content was posted by others and his extortion-esque secondary business never asked for money to prevent the posting of submitted content, but rather the removal of already-posted photos and contact info. Pure, vile nastiness to be sure, but with enough legal loopholes to potentially jeopardize his conviction.

Additionally, Section 230 protections have previously only served to defend site owners in civil cases, rather than against criminal charges. It's highly unlikely this will be applicable to appealing the criminal charges, but these are state charges rather than federal charges, so this may provide him an opportunity to test California's statutory interpretation of Section 230.

If his conviction is overturned (Steinbaugh believes the state will do everything possible to prevent this) using Section 230 as leverage, we can expect more legislative attempts to gut these protections -- from lawmakers who are content ignore the harm it will cause site owners far more respectable than those trafficking in misery and exploitation simply because the targeted activity is so repulsive.

from the two-miserable-humans-profiting-on-the-misery-of-others dept

Here's a little bit more evidence to throw on the pile marked "You Don't Need to Destroy the First Amendment/Section 230 to Stop Revenge Porn."

Eric Chanson and Kevin Bollaert, proprietors of the revenge porn site YouGotPosted, are now on the hook for $450,000 each, thanks to a default judgment. This lawsuit rests heavily on the duo's violation of child pornography laws, so it's not a complete win for revenge porn opponents, but it does suggest a way out for minors who find themselves posted on sites operated by similar blights on humanity.

Defendants watermarked sexually explicit photographs of Plaintiff, a minor, with a “You Got Posted” logo and then posted them on the Website, along with identifying information including Plaintiff’s name and state of residence (California). Defendants did not take any steps to verify Plaintiff’s age before posting her photographs. Nor did Defendants obtain Plaintiff’s consent or that of her parents. According to the complaint, Defendants were aware that Plaintiff was a minor and that the images constituted child pornography when they posted the images on the Website. Defendants used Plaintiff’s photographs to advertise the Website and profited from using Plaintiff’s images.

Neither of the defendants mounted much of a challenge to the allegations. Chanson filed a motion for dismissal after being served but the court denied it nine months later. Chanson was deemed to have defaulted in June of last year, based on his lack of communication after his September 2013 motion.

Bollaert, on the other hand, was detained by more pressing matters -- like his arrest for extortion, online harassment and identity theft. All of the charges were problematic (especially the harassment charge, which somehow managed to bypass established Section 230 protections), but they did manage to keep Bollaert otherwise occupied as the lawsuit against him proceeded. Still, Bollaert was served two months before his arrest and had the option to file a response at any point, seeing as his conviction on the extortion charge (the most logical of the charges brought -- considering Chanson and Bolleart ran a side business taking down YouGotPosted material for a fee) didn't actually occur until February of 2015.

All in all, the pair's accuser was awarded $150,000 (from each) in statutory damages under US child pornography laws, along with $150,000/each in punitive damages and another $150,000/each for violations of California's ridiculous "publicity rights" law. It may seem slightly more palatable when it's being used to punish revenge porn site operators, but that still doesn't make that bad law any less stupid or easily abused.

It all adds up to $450,000 from each of the defendants and the option to pursue legal fees is still open.

If you're looking to shut down revenge porn site operators, this particular case doesn't have a whole lot to offer, other than the likelihood that pursuing a lawsuit could easily result in a default judgment if your allegations are solid. Judging from past events, it seems unlikely that many revenge porn site operators are interested in defending their actions in front of a judge. It also provides some comfort for minors whose photos and information have been posted at these sites.

On the other hand, easily-abused laws (with the exception of California's publicity rights statute) weren't abused to pursue these site owners. There was no suggestion that posting pictures without authorization is automatically copyright infringement or any desire expressed to punch holes in Section 230 protections. That's a plus for the internet in general. And the outcome shows there are a multitude of ways to approach the revenge porn problem that don't involve carving out chunks of the First Amendment.

from the another-one-rung-up dept

So, last week, the FTC came down on revenge porn's Craig Brittain, and this week another big revenge porn/extortionist Kevin Bollaert was found guilty by a jury for his revenge porn site, YouGotPosted.com. As we wrote when he got arrested, the claims against him that made sense were the extortion claims, and he was found guilty on six extortion counts, along with 20 counts for identity fraud. No verdict was reached on charges of conspiracy.

As with Brittain's "David Blade III" and his "TakedownLawyer/Takedownhammer" website, Bollaert's YouGotPosted directed people to a website called ChangeMyReputation, where they could pay $300 to $350 to get their photos taken down off the site. That's where the extortion charges come in. It's good to see these guys go down for what they did, but some of the specifics do matter. It's unclear from the posted reports so far what the specific charges he was found guilty for cover, and whether or not some of them were the ones we pointed out initially that could be seen as problematic. It's also quite possible that Bollaert will appeal -- at which point the specifics will become a lot more important. It does seem likely that some of what he did was very much criminal extortion, as the jury found, but one hopes that the nature of what he was doing and the type of site didn't cloud the issue, such that he was also blamed for protected activity or activity by users in addition to his own activities. It's easy to want to see someone like Bollaert be taken down on criminal charges -- but we should worry about precedents that may later apply to other site operators who aren't running revenge porn sites.

from the bad-cases-make-bad-laws dept

A fair amount of attention has been paid to the announcement from Kamala Harris, the attorney general for California, that Kevin Bollaert, the operator of a revenge porn site, and corresponding "pay me to take down the revenge porn" site, has been arrested and charged with a variety of crimes, including extortion. Make no mistake about it: Bollaert is a scumbag and these revenge porn sites -- especially those with the extortionate concept of "pay us to take down those nude photos you never wanted posted in the first place" -- are highly problematic. But... as with all kinds of "highly problematic" activities, it all too often happens that law enforcement's zeal to take down the bad guy means they twist laws in dangerous ways that could have significant consequences for plenty of good sites. That appears to be the case here.

The other two asserted unlawful purposes are (1) online harassment per Penal Code 653m(b) (criminalizing “repeated contact by means of an electronic communication device”), and (2) the civil tort of public disclosure of private facts (citing a troubling precedent, In Re Rolando S.). Unlike the extortion claim, both allegations depend on the behavior of the website’s users. The complaint doesn’t allege that Bollaert himself made repeated contacts with victims using an electronic communication device, or that Bollaert himself disclosed anyone’s private facts. Instead, the complaint alleges that Bollaert ran a UGC website where users performed unlawful activities. But that’s exactly what UGC websites do: they let users publish content online for both good and evil. If we hold UGC website operators responsible for the fact that their users sometimes commit crimes, then all UGC website operators are criminals.

Fortunately, that’s not the law. In 1996, in 47 USC 230 (Section 230), Congress said that websites aren’t liable for third party content, even if the third party violates state criminal law. From my perspective, based on the allegations in the complaint and arrest warrant, the identity theft charges predicated on harassment and privacy violations appear to be preempted by Section 230

It's no secret that the various state attorneys general, including Harris, would love to wipe out Section 230. So perhaps she sees this as a chance to take a case so emotionally charged that she can get a favorable ruling. That's dangerous, since as Goldman notes, this would effectively wipe out Section 230 for many, many sites that allow user contributed content.

A second problem with the complaint is that it relies on an identity theft law used against Bollaert. But anyone looking at the situation would know right away that this isn't any kind of identity theft. Again, Goldman explains:

The crime asserted here, Penal Code 530.5(a), has two elements. First, the defendant must willfully obtain personal identifying information. Second, the defendant must use that information for an unlawful purpose.

When applied to actual identity theft, these elements make sense. If I steal your social security number and use it to obtain a credit card that I use to run up fraudulent charges, the two elements are clearly satisfied.

As applied to Bollaert, in contrast, the elements are confusing. (The criminal complaint, as typical for the genre, doesn’t explain how the law applies to the facts). How did Bollaert willfully obtain personal identifying information? He allegedly ran a UGC website where users could submit photos and personal information structured into standardized categories. It seems like this allegation would equally describe how all UGC websites “willfully” obtain content from their users.

The one area where the claim may actually make some sense is the extortion claim -- as that definitely seems questionable. However, once again, this can run into some problems. For example, you can see a perfectly legitimate service that charges some sort of processing fee to take down content that had been previously posted. Merely charging to remove content, by itself, shouldn't be seen as extortion. Hell, we've recently had comment spammers who apparently got punished by Google's search rankings email us about removing the comment spam they were able to sneak through our spam filters. When I mentioned how silly this was on Twitter, many people suggested that we should charge the spammers to remove their spam comments. That actually seems like a reasonable (if amusing) idea. But would that be extortion? Under the claims against Bollaert, it's possible that such an action would be considered the same thing -- but I doubt most people would think the request to spammers would be extortion (not that we've done it either way).

And that leaves this whole case in a tricky spot. Bollaert's site was a problem. What he was doing was despicable in so many ways it's almost difficult to keep track of them all. But, if the case is allowed against him, it's quite possible that very bad precedents will be set that lead to significant problems for tons of legitimate sites. As Goldman notes, however, there's a good chance it will never get this far. Bollaert almost certainly will take a plea deal, and Harris will get yet another headline about how she's protecting the citizens of California, even if her legal theories might undermine its economy -- and many of the sites that people around the globe enjoy.